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ABSTRACT 

Line Speed Publish/Subscribe Inter-networking (LIPSIN) 
is one of the proposed forwarding mechanisms in Infor¬ 
mation Centric Networking (ICN). It is a stateless source¬ 
routing approach based on Bloom filters. However, it has 
been shown that LIPSIN is vulnerable to brute-force attacks 
which may lead to distributed denial-of-service (DDoS) at¬ 
tacks and unsolicited messages. In this work, we propose 
a new forwarding approach that maintains the advantages 
of Bloom filter based forwarding while allowing forwarding 
nodes to statelessly verify if packets have been previously 
authorized, thus preventing attacks on the forwarding mech¬ 
anism. Analysis of the probability of attack, derived analyt¬ 
ically, demonstrates that the technique is highly-resistant to 
brute-force attacks. 


1. INTRODUCTION 

The Publish-Subscribe Internet Technology architecture 
(PURSUIT) is one of the promising ICN candidates for a 
future Internet. It aims at redesigning the current Internet 
to solve many existing limitations such as security, rout¬ 
ing scalability, multicast. The PURSUIT architecture de¬ 
fines the following three types of network entities: publish¬ 
ers (Pub), subscribers (Sub), and mediation system. The 
mediation system is broken down into two functions: Ren¬ 
dezvous (RV) and topology management (TM). These two 
functions control the third function: forwarding (FW). The 
network connectivity is expressed by flat, Bloom filter-based 
identifiers called Lids where each edge in the network has at 
least two unidirectional Lids, one in each direction. 

The RV is responsible for matching publishers and sub¬ 
scribers for a given information item. When a match is 
detected, the RV contacts the TM, which is responsible for 
maintaining intra-domain knowledge of an autonomous sys¬ 
tem and to construct a delivery path in the form of a LIPSIN 
forwarding identifier (Fid) j2j. After the path has been de¬ 
fined, the FW nodes are responsible for packet switching 
and delivering the information item from the Pub to the 
Sub. The POINT project 11 builds on this architecture to 
also introduce a network attachment point (NAP) for user 
equipment (UE) to attach to the network. The UE may 
be either standard IP clients or may use LIPSIN for a na¬ 
tive ICN interface. Devices that use native ICN might in¬ 
clude those that are newly developed, for example Internet 
of Things (IoT) devices. This paper is relevant to this latter 
type of device. 


2. RELATED WORK 

In the LIPSIN forwarding approach [2], false positives may 
exist such that packets can be forwarded over links that were 
not intended to be included in the forwarding path; this can 
be exploited to launch a brute-force attack. In this attack, 
a malicious node tries all, or a sufficiently large number of, 
possible Fids to obtain one that generates false positives and 
reaches a target. The probability, Pf w , of guessing a valid 
Fid of a Bloom filter constructed with a maximum £11 factor 
of p m , k hash functions and representing a path length of l 
is given by [2]: 

Pfw = Pm (1) 

In dj, it has been shown that replay attacks and computa¬ 
tional attacks are also possible. During a replay attack the 
attacker exploits a previously created valid Fid for sending 
non-requested traffic. A computational attack is launched 
by collecting a number of valid Fids and analyzing the cor¬ 
relation between their bit patterns. 

Building upon the LIPSIN forwarding scheme, and prior 
work [2] [3], this paper proposes a forwarding approach that 
effectively prevents the above mentioned attacks, using net¬ 
work capabilities. In the rest of this paper, we describe our 
proposed forwarding approach, and analyse the resistance of 
our solution to brute-force attacks. 

3. SECURE ATTACHMENT APPROACH 

In this approach, we propose a validation mechanism that 
checks the legitimacy of Fids sent by a publisher, at the 
ingress of the network. The approach is based on the fol¬ 
lowing assumptions: no FW node in the network is hostile; 
the FW node that is directly connected to a user is the NAP; 
and, each such node holds a pair of 128-bit long master keys, 
ki, fe 2 . 

3.1 Secure Fid Generation 

In the following, we refer to the original forwarding iden¬ 
tifier generated by the TM as Fid and its encrypted form 
is eFId; whereas the one used by the Pub is called eFId p 
and its decrypted form is FId p . The hash that is taken over 
eFId is referred to as h, whereas the hash that is used by the 
Pub is h p . I 11 the case of legitimate UE: eFId p = eFId and 
h p = h. In this scheme, the process of generating the Fid 
is almost the same as in LIPSIN, the only difference is that 
the constructed Fid is sent by the TM to the NAP instead 
of the publisher. Upon receiving the Fid by the NAP, the 
Fid is encrypted using the AES algorithm, which as a result 
produces an encrypted eFId. The purpose of this encryption 
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step is to preserve the confidentiality of the Fid, so that a 
computational attack is prevented by hiding the content of 
the Fid from the Pub. 

To prevent brute-force attacks, the NAP node creates 
a 64-bit hash h over the encrypted Fid using &2 so that 
the hash becomes bound to a specific Fid. Then, the 
pair {eFId, h} is then forwarded to the relevant directly 
connected Pub in order to be used in the communication 
with the subscriber. Note that the Pub, which might be a 
lightweight device, does not have to compute any encryption 
algorithms. 

3.2 Secure Fid Forwarding 

Upon receiving the pair {eFId, h} from the NAP the pub¬ 
lisher starts the communication with the subscriber by plac¬ 
ing this pair in each transmitted packet header and forward¬ 
ing it to its local NAP. When the NAP receives a packet from 
the Pub, it first performs two checks: the security check and 
the forwarding check. The purpose of the security check is to 
validate the received eFId p , whether it is legitimate and has 
been created by the TM. This check is performed once and 
only for packets coming from the publisher. The forwarding 
check is the LIPSIN membership check that is performed 
to decide where packets should be forwarded for the next 
hop |2]. An incoming packet is forwarded to the next hop 
only if it passes these two checks. In the security check, the 
NAP checks the integrity of the received eFId p . 

If the packet passes the security check, then the eFId p is 
assumed to be legitimate. In this case the NAP replaces the 
encrypted eFId p with a plaintext copy of the FId p . Then, 
the forwarding check is performed against each outgoing in¬ 
terface using the FId p . If the result of the check is true, then 
the packet is forwarded to the next FW node along the path. 
At each subsequent FW node, only the forwarding check is 
performed. To prevent replay attacks, the master key fe 
that is used to protect the hash is changed periodically. 

4. ATTACK ANALYSIS 

The proposed forwarding approach effectively stops the 
previously described attacks. For example, to inject traffic 
to a victim 4-hops away using a brute-force attack, then the 
attack has to pass both the security check and the forward¬ 
ing check at the NAP, and also pass subsequent forwarding 
checks in the FW nodes along the path. In this section, we 
analyse the probability of injecting unwanted traffic using 
brute-force attacks. The probability of passing the forward¬ 
ing check, Pfw, is the probability of guessing a valid Fid 
that causes false positives along a path, which is given by 
0 . The probability of passing the security check p sc will 
now be determined and is equivalent to guessing the hash 
using the, so-called, birthday paradox attack |3j. To show 
how a collision is found in the context of our approach, as¬ 
sume H is a hash function such that H : D —» R, where D is 
the set of all possible combinations of Fids, R is the range of 
H, and R\ = r, the number of all possible hashes. A hash 
collision occurs when having distinct eFIdi, eFId 2 £ D 
where H(FIdi ) = H^FIdi). To estimate how many attack 
attempts x, consisting of injecting random pairs {Fid, hj, 
are required to achieve a given probability p sc of finding a 
hash collision, we use the following approximation |3 : 
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Figure 1: Attack probability, p a , using proposed 
eFID or LIPSIN over different path-lengths. eFId: 
to = 256, \h\ = 64. LIPSIN: m = 320. Bloom filter has 
23 Lids with k = 5. 

Therefore, to successfully reach a victim, the attacker has 
to pass all checks at the NAP and the subsequent on-path 
FW nodes, and the probability of this is: p a = Psc x Pfw 
Figure [I] shows the probability p a for different attack path 
lengths l in both approaches: the existing LIPSIN approach 
and the proposed NAP approach. The left figure represents 
the case when n = 23 Lids and shows a significant improve¬ 
ment in the probability p a when using the encrypted Fid. 
For example, when p sc is 10 -6 the probability of attack p a to 
reach a victim attached to the same attacker’s NAP node is 
« 1.3 x 10~ 8 compared with approximately as 0.0001 when 
deploying the basic LIPSIN forwarding approach. This is 
just to pass the first node on the path, and the probability 
p a gets lower as the number of hops increases. 

5. CONCLUSION 

In this paper, a new approach to protect the forwarding 
plane against brute-force attacks, computational attacks and 
replay attacks in the PURSUIT ICN architecture has been 
presented. This mechanism uses encryption to identify ille¬ 
gitimate forwarding identifiers at the ingress of the network. 
With this mechanism, the probability of a brute-force at¬ 
tack has been significantly reduced compared to the basic 
LIPSIN forwarding. 
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